Well, again, the fact that it worked before doesn't mean it's a bug and
therefor needs special handling.
This bug can be closed as WONTFIX.
a.
On 06-Feb-12 17:07, Julia Longtin wrote:
No, i mean something in the changes file, so you know *before* you
restart your firewall, and the port forwards are dropped. an outage and
warning that does not tell one what to do to fix it is certainly an issue.
Julia Longtin
On Mon, Feb 6, 2012 at 12:28 PM, Arno van Amersfoort
<arn...@rocky.eld.leidenuniv.nl <mailto:arn...@rocky.eld.leidenuniv.nl>>
wrote:
Well it does do that:
Restarting Arno's Iptables Firewall...
** WARNING: In Variable NAT_FORWARD_TCP, Rule:
"~8888>10.100.__0.117~80" is ignored.
Feb 06 13:27:41 WARNING: Not all firewall rules are applied.
a.
On 06-Feb-12 12:54, Julia Longtin wrote:
Oh, that makes sense to me... except since it WAS valid syntax,
it means
that when it STOPPED being valid syntax, i need a little more
warning
than "oh, all your port forwards no longer exist, have a nice
day!". I
read debchanges, so at least a warning to sysadmins that the
syntax that
used to be valid is no longer valid makes sense to me.
Luckily, there will at least be this thread to guide other
sysadmins. I
had to use bash -x to trace through things and discover the
'fix' for my
perfectly 'valid' syntax not working.
Julia Longtin
On Mon, Feb 6, 2012 at 6:17 AM, Arno van Amersfoort
<arn...@rocky.eld.leidenuniv.__nl
<mailto:arn...@rocky.eld.leidenuniv.nl>
<mailto:arn...@rocky.eld.__leidenuniv.nl
<mailto:arn...@rocky.eld.leidenuniv.nl>>>
wrote:
Hello Julia,
Ah you mean that the first WITH the "~" in front of the 8888
used to
be a valid syntax? If so, this was never intended and it
certainly
doesn't serve any purpose. The fix is simple, as you already
know,
get rid of it ;-), unless I'm missing something here.
cheers,
Arno
On 03-Feb-12 17:25, Julia Longtin wrote:
I mean that going from
"NAT_FORWARD_TCP=~8888>10.100.____0.117~80"
causes
the problem. you have the fix correct.
Its possibly my syntax is wrong.. but it used to work
this way.
Julia Longtin
On Fri, Feb 3, 2012 at 2:56 PM, Arno van Amersfoort
<arn...@rocky.eld.leidenuniv.____nl
<mailto:arn...@rocky.eld.__leidenuniv.nl
<mailto:arn...@rocky.eld.leidenuniv.nl>>
<mailto:arn...@rocky.eld.
<mailto:arn...@rocky.eld.>__lei__denuniv.nl <http://leidenuniv.nl>
<mailto:arn...@rocky.eld.__leidenuniv.nl
<mailto:arn...@rocky.eld.leidenuniv.nl>>>>
wrote:
You mean that
"NAT_FORWARD_TCP="8888>10.100.______0.117~80"
causes the
problem and
"NAT_FORWARD_TCP="0/0~8888>10.______100.0.117~80"
fixes
that? I tried reproducing it, but I can't get it to
fail.
Could you
provide a snippet of the error?
thanks.
Arno
On 03-Feb-12 15:37, Julia Longtin wrote:
Package: arno-iptables-firewall
Version: 2.0.1-1
Severity: important
Dear Maintainer,
After performing an upgrade, i have found that the
format of the
rules expected in firewall.conf have changed.
Instead of accepting a blank source IP, it now
requires
a source
IP, or parse_rules fails, and gives a WARNING:
rule will be
ignored..
see the '0/0' that has been added to my
NAT_FORWARD_TCP
rules.
Julia Longtin
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8
(charmap=locale:
Cannot set LC_CTYPE to default locale: No such
file or
directory
locale: Cannot set LC_MESSAGES to default locale: No
such file
or directory
locale: Cannot set LC_ALL to default locale: No
such file or
directory
ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages arno-iptables-firewall
depends on:
ii debconf [debconf-2.0] 1.5.41
ii gawk 1:3.1.8+dfsg-0.1
ii iproute 20120105-1
ii iptables 1.4.12.2-1
Versions of packages arno-iptables-firewall
recommends:
ii dnsutils 1:9.8.1.dfsg.P1-2
ii lynx 2.8.8dev.9-3
ii rsyslog 5.8.6-1
arno-iptables-firewall suggests no packages.
-- Configuration Files:
/etc/arno-iptables-firewall/______firewall.conf
changed:
EXT_IF="$DC_EXT_IF"
EXT_IF_DHCP_IP=$DC_EXT_IF_______DHCP_IP
EXTERNAL_DHCP_SERVER=0
EXTERNAL_DHCPV6_SERVER=0
INT_IF="$DC_INT_IF"
INTERNAL_NET="$DC_INTERNAL_______NET"
INTERNAL_NET_ANTISPOOF=1
DMZ_IF=""
DMZ_NET=""
DMZ_NET_ANTISPOOF=1
NAT=$DC_NAT
NAT_INTERNAL_NET="$DC_NAT_______INTERNAL_NET"
NAT_LOCAL_REDIRECT=1
NAT_FORWARD_TCP="0/0~8888>10.______100.0.117~80 \
0/0~8889>10.100.0.88~80 \
0/0~8890>10.100.0.40~80 \
0/0~8891>10.100.0.58~80 \
0/0~8892>10.100.0.100~80 \
0/0~8893>10.100.0.20~80 \
0/0~2280>10.100.0.44~22 \
0/0~2281>10.100.0.75~22 \
0/0~8333>10.100.0.95~8333 "
NAT_FORWARD_UDP=""
NAT_FORWARD_IP=""
INET_FORWARD_TCP=""
INET_FORWARD_UDP=""
INET_FORWARD_IP=""
IP4TABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
ENV_FILE="/usr/share/arno-______iptables-firewall/environment"
PLUGIN_BIN_PATH="/usr/share/______arno-iptables-firewall/______plugins"
PLUGIN_CONF_PATH="/etc/arno-______iptables-firewall/plugins"
DMESG_PANIC_ONLY=1
MANGLE_TOS=1
SET_MSS=1
TTL_INC=0
USE_IRC=0
LOOSE_FORWARD=0
FORWARD_LINK_LOCAL=0
IPV6_DROP_RH_ZERO=1
RESERVED_NET_DROP=0
DRDOS_PROTECT=0
IPV6_SUPPORT=0
NMB_BROADCAST_FIX=0
COMPILED_IN_KERNEL_MESSAGES=1
DEFAULT_POLICY_DROP=1
TRUSTED_IF=""
IF_TRUSTS=""
CUSTOM_RULES="/etc/arno-______iptables-firewall/custom-______rules"
LOCAL_CONFIG_FILE=""
DISABLE_IPTABLES_BATCH=0
TRACE=0
BLOCKED_HOST_LOG=1
SCAN_LOG=1
POSSIBLE_SCAN_LOG=1
BAD_FLAGS_LOG=1
INVALID_TCP_LOG=0
INVALID_UDP_LOG=0
INVALID_ICMP_LOG=0
RESERVED_NET_LOG=0
FRAG_LOG=1
INET_OUTPUT_DENY_LOG=1
LAN_OUTPUT_DENY_LOG=1
LAN_INPUT_DENY_LOG=1
DMZ_OUTPUT_DENY_LOG=1
DMZ_INPUT_DENY_LOG=1
FORWARD_DROP_LOG=1
LINK_LOCAL_DROP_LOG=1
ICMP_REQUEST_LOG=1
ICMP_OTHER_LOG=1
PRIV_TCP_LOG=1
PRIV_UDP_LOG=1
UNPRIV_TCP_LOG=1
UNPRIV_UDP_LOG=1
IGMP_LOG=1
OTHER_IP_LOG=1
ICMP_FLOOD_LOG=1
FIREWALL_LOG="/var/log/arno-______iptables-firewall"
LOGLEVEL="info"
LOG_HOST_INPUT_TCP=""
LOG_HOST_INPUT_UDP=""
LOG_HOST_INPUT_IP=""
LOG_HOST_OUTPUT_TCP=""
LOG_HOST_OUTPUT_UDP=""
LOG_HOST_OUTPUT_IP=""
LOG_INPUT_TCP=""
LOG_INPUT_UDP=""
LOG_INPUT_IP=""
LOG_OUTPUT_TCP=""
LOG_OUTPUT_UDP=""
LOG_OUTPUT_IP=""
LOG_HOST_INPUT=""
LOG_HOST_OUTPUT=""
SYN_PROT=1
REDUCE_DOS_ABILITY=1
ECHO_IGNORE=0
LOG_MARTIANS=1
IP_FORWARDING=1
IPV6_AUTO_CONFIGURATION=1
ICMP_REDIRECT=0
CONNTRACK=16384
ECN=1
RP_FILTER=1
SOURCE_ROUTE_PROTECTION=1
LOCAL_PORT_RANGE="32768 61000"
DEFAULT_TTL=64
NO_PMTU_DISCOVERY=0
LAN_OPEN_ICMP=1
LAN_OPEN_TCP="21 22 80"
LAN_OPEN_UDP="53 67 69"
LAN_OPEN_IP=""
LAN_DENY_TCP=""
LAN_DENY_UDP=""
LAN_DENY_IP=""
LAN_HOST_OPEN_TCP=""
LAN_HOST_OPEN_UDP=""
LAN_HOST_OPEN_IP=""
LAN_HOST_DENY_TCP=""
LAN_HOST_DENY_UDP=""
LAN_HOST_DENY_IP=""
LAN_INET_OPEN_ICMP=1
LAN_INET_OPEN_TCP=""
LAN_INET_OPEN_UDP=""
LAN_INET_OPEN_IP=""
LAN_INET_DENY_TCP=""
LAN_INET_DENY_UDP=""
LAN_INET_DENY_IP=""
LAN_INET_HOST_OPEN_TCP=""
LAN_INET_HOST_OPEN_UDP=""
LAN_INET_HOST_OPEN_IP=""
LAN_INET_HOST_DENY_TCP=""
LAN_INET_HOST_DENY_UDP=""
LAN_INET_HOST_DENY_IP=""
DMZ_OPEN_ICMP=1
DMZ_OPEN_TCP=""
DMZ_OPEN_UDP=""
DMZ_OPEN_IP=""
DMZ_HOST_OPEN_TCP=""
DMZ_HOST_OPEN_UDP=""
DMZ_HOST_OPEN_IP=""
INET_DMZ_OPEN_ICMP=0
INET_DMZ_OPEN_TCP=""
INET_DMZ_OPEN_UDP=""
INET_DMZ_OPEN_IP=""
INET_DMZ_DENY_TCP=""
INET_DMZ_DENY_UDP=""
INET_DMZ_DENY_IP=""
INET_DMZ_HOST_OPEN_TCP=""
INET_DMZ_HOST_OPEN_UDP=""
INET_DMZ_HOST_OPEN_IP=""
INET_DMZ_HOST_DENY_TCP=""
INET_DMZ_HOST_DENY_UDP=""
INET_DMZ_HOST_DENY_IP=""
DMZ_INET_OPEN_ICMP=1
DMZ_INET_OPEN_TCP=""
DMZ_INET_OPEN_UDP=""
DMZ_INET_OPEN_IP=""
DMZ_INET_DENY_TCP=""
DMZ_INET_DENY_UDP=""
DMZ_INET_DENY_IP=""
DMZ_INET_HOST_OPEN_TCP=""
DMZ_INET_HOST_OPEN_UDP=""
DMZ_INET_HOST_OPEN_IP=""
DMZ_INET_HOST_DENY_TCP=""
DMZ_INET_HOST_DENY_UDP=""
DMZ_INET_HOST_DENY_IP=""
DMZ_LAN_OPEN_ICMP=0
DMZ_LAN_HOST_OPEN_TCP=""
DMZ_LAN_HOST_OPEN_UDP=""
DMZ_LAN_HOST_OPEN_IP=""
FULL_ACCESS_HOSTS=""
BROADCAST_TCP_NOLOG=""
HOST_OPEN_TCP=""
HOST_OPEN_UDP=""
HOST_OPEN_IP=""
HOST_OPEN_ICMP=""
HOST_DENY_TCP=""
HOST_DENY_UDP=""
HOST_DENY_IP=""
HOST_DENY_ICMP=""
HOST_DENY_TCP_NOLOG=""
HOST_DENY_UDP_NOLOG=""
HOST_DENY_IP_NOLOG=""
HOST_DENY_ICMP_NOLOG=""
HOST_REJECT_TCP=""
HOST_REJECT_UDP=""
HOST_REJECT_TCP_NOLOG=""
HOST_REJECT_UDP_NOLOG=""
DENY_TCP_OUTPUT=""
DENY_UDP_OUTPUT=""
DENY_IP_OUTPUT=""
HOST_DENY_TCP_OUTPUT=""
HOST_DENY_UDP_OUTPUT=""
HOST_DENY_IP_OUTPUT=""
OPEN_ICMP=$DC_OPEN_ICMP
OPEN_ICMPV6=1
OPEN_TCP="$DC_OPEN_TCP"
OPEN_UDP="$DC_OPEN_UDP"
OPEN_IP=""
DENY_TCP=""
DENY_UDP=""
DENY_TCP_NOLOG=""
DENY_UDP_NOLOG=""
REJECT_TCP=""
REJECT_UDP=""
REJECT_TCP_NOLOG=""
REJECT_UDP_NOLOG=""
BLOCK_HOSTS=""
BLOCK_HOSTS_BIDIRECTIONAL=1
-- debconf information:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale
settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "en_GB.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard
locale ("C").
locale: Cannot set LC_CTYPE to default locale:
No such
file or
directory
locale: Cannot set LC_MESSAGES to default locale: No
such file
or directory
locale: Cannot set LC_ALL to default locale: No
such file or
directory
*
arno-iptables-firewall/config-______int-nat-net: 10.100.0/24
172.16.0/24
* arno-iptables-firewall/______dynamic-ip: true
* arno-iptables-firewall/config-______int-net:
10.100.0/24
172.16.0/24
* arno-iptables-firewall/icmp-______echo: true
* arno-iptables-firewall/______services-udp: 53
arno-iptables-firewall/title:
* arno-iptables-firewall/config-______ext-if: eth0
* arno-iptables-firewall/______services-tcp: 22
53 80
* arno-iptables-firewall/______restart: true
* arno-iptables-firewall/config-______int-if:
eth1 br0
* arno-iptables-firewall/nat: true
* arno-iptables-firewall/______debconf-wanted: true
-- debsums errors found:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale
settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "en_GB.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard
locale ("C").
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
